# Download Debian 12 LXC template to gihyeon (node1).
# overwrite_unmanaged: the template already exists in node1's `local` datastore
# from an earlier run but is not yet tracked in Terraform state. Without this,
# bpg refuses to touch the pre-existing file ("refusing to override existing
# file"). Setting it true lets Terraform adopt/re-download it under management.
resource "proxmox_virtual_environment_download_file" "debian12_template_gihyeon" {
  content_type        = "vztmpl"
  datastore_id        = "local"
  node_name           = var.hermes_node
  url                 = "http://download.proxmox.com/images/system/debian-12-standard_12.12-1_amd64.tar.zst"
  overwrite_unmanaged = true
}

# Hermes Agent LXC.
# `features` (nesting/keyctl) ARE set here: on an unprivileged container these need
# only VM.Allocate, which the API token has, so Terraform can set them. nesting is
# also required so the systemd-252 (Debian 12) create does not emit the "enable
# nesting" warning that Proxmox returns as TASK WARNINGS (which fails the apply).
# Bind mounts (mp0/mp1, host paths) genuinely DO require root@pam, so those are still
# added via the PVE web console with `pct set` (see scripts/hermes-bootstrap.sh and
# docs/superpowers/specs/2026-06-18-hermes-agent-lxc-design.md).
resource "proxmox_virtual_environment_container" "hermes" {
  description   = "Hermes Agent (Nous Research) - Managed by Terraform"
  node_name     = var.hermes_node
  vm_id         = var.hermes_vmid
  start_on_boot = true
  unprivileged  = true
  tags          = ["ai", "agent", "terraform"]

  # Only `nesting` can be set with an API token. Proxmox rejects other feature
  # flags from tokens: "changing feature flags (except nesting) is only allowed
  # for root@pam". keyctl (if Docker needs it), fuse, and bind mounts are
  # applied out-of-band on the node console as root@pam.
  features {
    nesting = true
  }

  # keyctl and bind mounts (mp0/mp1) are applied out-of-band on the node console
  # as root@pam (the API token cannot set them — see the features note above).
  # Ignore drift on these so a routine `terraform apply` does not try to strip
  # the console-applied settings (which would fail without root@pam anyway).
  lifecycle {
    ignore_changes = [features, mount_point]
  }

  operating_system {
    template_file_id = proxmox_virtual_environment_download_file.debian12_template_gihyeon.id
    type             = "debian"
  }

  cpu {
    cores = var.hermes_cores
  }

  memory {
    dedicated = var.hermes_memory
    swap      = var.hermes_swap
  }

  disk {
    datastore_id = var.hermes_datastore
    size         = var.hermes_disk_size
  }

  network_interface {
    name   = "eth0"
    bridge = var.hermes_network_bridge
  }

  initialization {
    hostname = var.hermes_hostname

    ip_config {
      ipv4 {
        address = "dhcp"
      }
    }

    dns {
      servers = var.dns_servers
    }
  }
}